Dynamic coefficient symmetric polynomial-based secure key management scheme for Internet of Things (IoT) networks

Background With the extensive application and continuous expansion of the Internet of Things (IoT), the access of a large number of resource-limited nodes makes the IoT application face a variety of security vulnerabilities and efficiency limitations, and the operating efficiency and security of IoT are greatly challenged. Key management is the core element of network security and one of the most challenging security problems faced by wireless sensor networks. A suitable key management scheme can effectively defend against network security threats. However, among the key management schemes that have been proposed so far, most of them do not take into account the efficiency in terms of connectivity rate and resource overhead, and some of them even have security risks. Methods In this article, based on the symmetric polynomial algorithm, a dynamic coefficient symmetric polynomial key management scheme is proposed to better solve the IoT security problem. In this scheme, the nodes’ IDs are mapped into the elements of the shared matrix M by the identity mapping algorithm, and these elements are used to construct polynomials P(x,y) to generate pairwise keys. The communicating nodes have their own coefficients of P(x,y) and thus have higher connectivity. Results The overall performance evaluation shows that the scheme significantly improves the resilience against node capture and effectively reduces the communication and storage overheads compared to the previous schemes. Moreover, the scheme overcomes the λ-security of symmetric polynomial key management scheme, and is able to provide a large pool of polynomials for wireless sensor networks, facilitating large-scale application of nodes.


INTRODUCTION
In the network architecture of the Internet of Things (IoT), some new distributed models (Bouarourou, Boulaalam & Nfaoui, 2021;Labib et al., 2021) and multi-hop clustering scheme (Muthukkumar et al., 2022) for heterogeneous wireless sensor networks (WSNs) to q-s-composite scheme in literature (Gandino, Ferrero & Rebaudengo, 2017), which could not resist node replication attacks, combining localization algorithm with voting mechanism.To support the detection and cancellation of malicious nodes, and further modify parameters to resist node replication attacks.In order to solve the security of key management and IoT security performance index optimization problems, Harn, Hsu & Xia (2021) proposed a novel key distribution scheme.The key distribution protocol only needs logical XOR operation, which is much faster than other schemes.Wang et al. (2020) proposed a WSN layer-cluster key management scheme based on quadratic polynomial and Lagrange interpolation polynomial is proposed.Nafi, Bouzefrane & Omar (2020) proposed a new lightweight matrix-based key management protocol for IoT network.Sharma & Purushothama (2022) proposed a new and efficient scheme (BP-MGKM) for secure multi-group key management based on bivariate polynomial.Najafi & Babaie (2023) proposed approach, a lightweight hierarchical key management approach, generating shorter and more secure keys due to the use of a hierarchical structure based on the position and remaining energy of nodes.Msolli et al. (2023) proposed the key management scheme with pool-hash for the establishment, which exposes a new key pool contains original keys and other hashed admit the same identities thus new session keys transmitted in sensors nodes are established during the discovery and path key phases.Taurshia et al. (2022) presented a novel Group Key Management scheme for Low-Resource Devices (GKM-LRD) to offer key management service to groups in IoT applications.Nafi et al. (2022) proposed a new key management protocol aiming to secure communications before and after key establishment, used hash and one-one functions to achieve security during the key establishment process.Rezaeipour & Barati (2022) presented a key management protocol that delivers services such as message confidentiality, integrity, and authenticity to wireless sensor networks by handling keys generation, distribution, and maintenance.Kandi et al. (2022) proposed a novel decentralized blockchain-based protocol for the IoT, balanceing the loads between nodes according to their capabilities.Wei et al. (2021) proposed two space-efficient Bitcoincompatible key management schemes for the lighting network, based on the hash function and trapdoor one-way function, respectively.
However, for all these solutions, there are shortcomings in the overall performance of connectivity, energy consumption, and security.Especially, a small number of compromised nodes may affect the majority of pairwise keys.This greatly restricts the maximum number (nodes' limitation number) of nodes the sensor network can hold if the polynomial is unconditionally secure.While increasing the safety threshold λ of the polynomial f(x,y), these schemes are able to make the nodes' limitation number λ a little enlarged.But it will make nodes suffer from some more serious problem, such that polynomials can extremely enhance the computation and storage overhead at the same time.
Making node communication of these schemes more secure requires a new mechanism to address the l-secure problem.In addition, we should also consider the following questions: as some nodes are captured, the communication security of other nodes will be directly affected, and all nodes could even be compromised.It should be noted that the energy, storage and communication overhead of sensor nodes are limited.The proposed scheme should maintain high node connectivity and low energy consumption.
Our scheme has better resilience to node capture attacks, a high connectivity rate between nodes, and can considerably reduce the communication and storage overhead.The contributions of this article are summarized as follows: Offers more effective resilience to node capture attacks for the λ-secure problem and has better resistance than other key management schemes.
The wireless sensor network has a high connectivity rate.Our scheme uses an identity mapping algorithm to map a series of coefficients of Pðx; yÞ, and each pair of communication nodes is able to establish a pairwise key.Low computational overhead.Even though the phase of pairwise key establishment consumes more energy than the other key management schemes, the node's chip is sufficient to deal with polynomial and hash algorithms.Low communication overhead.All communication nodes exchange identity information with each other, and the sensor network directly implements the identity mapping algorithm with the identity information of sensor nodes to get pairwise keys.There are no extra communication streams, except for identity information, during the process of pairwise key establishment, which can greatly reduce communication overhead.Low storage overhead.With a value of l = 7, our scheme in pairwise key establishment generates quite a small amount of code.The shared matrix M can generate a series of coefficients of Pðx; yÞ according to the sensor node's ID, and the sensor network of a head-cluster node is able to hold 1.75 × 10 5 nodes, which meets the requirements of many scenarios.
The structure of the article is as follows."Preliminaries" describes the preliminaries."Overview of Proposed Scheme" proposes our scheme with dynamic coefficient symmetric polynomials including key pre-distribution and key agreement phase.In "Theoretical Analysis", we analyze some classical security."Performance Analysis" presents a comparative study and simulation results."Conclusions" presents the conclusion of this article.

PRELIMINARIES
In this section, we introduce the network model and background, as well as explain the symbols used and their descriptions in this article.

Notation
Table 1 shows the notation used in the article.

Network model
Our scheme is suitable for a distributed network architecture, which consists of remote server nodes, gateway nodes and sensor nodes.All sensor nodes in the network have the same resources with the functions of sensing, collecting and transmitting data.Moreover, these sensor nodes are able to communicate with each other.Figure 1 shows the network model we have assumed.

OVERVIEW OF PROPOSED SCHEME
In this section, we describe the key management scheme of dynamic coefficient symmetric polynomial for IoT networks, which has two phases: pairwise predistribution phase and pairwise key agreement phase.In the following, we describe the details of each phase.

Key pre-distribution phase
(1) Before nodes are deployed, each node stores the information in advance, including a unique node ID and a hash function.
(2) Node Nl (l = 1, 2, Á Á Á, N) is preload the shared matrix M. N indicates the number of nodes in the network.The size of M is ðk þ 1Þ Â ðk þ 1Þ, and element a i,j (i, j = 0, 1, 2, Á Á Á, l) is over a finite field F(q), where q is a prime number that is large enough to accommodate a cryptographic key.

Key agreement phase
The pairwise key is used for end-to-end unicast communication.Communicating nodes authenticate each other's identity, construct the matrix coordinates fðw i ; v j Þji; j ¼ 0; 1; 2; Á Á Á ; kg and coefficient set fa ðw i ;v j Þ ji; j ¼ 0; 1; 2; Á Á Á ; kg of Pðx; yÞ, and establish a pairwise key, as shown in Fig. 2. The length of key.Note that each generated key takes the same storage as a coefficient of the l-degree polynomial.

l ID
The length of a node or key identifier q q is a prime number that is large enough to accommodate a cryptographic key, where l k = log 2 q |ω| Size of polynomial pool l The security threshold

N
The number of sensor nodes in a network τ The number of polynomials preloaded in each node s The number of keys preloaded in each node È XOR operation Construct matrix coordinate set C ml and coefficient set A ml .Nodes Nl and Nm map their identities to matrix coordinates (w i ,v j ) of M and obtained the element a ðw i ;v j Þ from M by the matrix coordinates (w i ,v j ). Figure 3 shows the identity mapping algorithm.
(1) Nodes Nl and Nm obtain the mapped identity, (2) Nodes Nl and Nm output more than 2t (l + 1) bits of fixed-length data.
(3) The first t(l + 1) bits in L are mapped to the row coordinate w i of M as The length of w i (0 , indicating the row coordinates of M. The output L of the hash function is binary and must be converted to decimal form.For instance, w 1 ¼ 01011 can be expressed in decimal form as w 1 = 0 × 2 4 + 1 × 2 3 + 0 × 2 2 + 1 × 2 1 + 1 × 2 0 = 11. (4) The next t(l + 1) bits in L are mapped to column coordinate v j of M as The length of v j (0 , indicating the column coordinates of M. Like w i , v j is binary and must be converted to decimal form. (5) Nodes Nl and Nm generate the matrix coordinate set C ml of symmetric polynomial P(x,y), with row coordinates w i and column coordinates v j , The coefficient set A ml of P(x,y) is established by C ml, and then used as coefficients of P (x,y), The communication nodes establish pairwise keys with P(x,y).Nodes Nm and Nl respectively construct the pairwise keys K ml and K lm , as shown in Fig. 4, according to the elements a ðw i ;v j Þ of M, as Pðx; yÞ ¼ (1) When node Nm executes P(x,y), the input terms of the variable x and y are x = ID Nm , y = ID Nl , (2) When node Nl executesPðx; yÞ, we input x = ID Nl , y = ID Nm , and (3) Since the polynomial P(x,y) is symmetric, K ml is equal to K lm , and So that nodes Nl and Nm have established a pairwise key, i.e., when node Nm communicates with node Nl, they have a common coefficient set A ml for P(x,y).The coefficient sets A of P(x,y) are different in distinguishing pairs of communicating nodes.For example, when communicating, two pairs of nodes (Nm, Nl) and (Nm, Nd) in sensor network have different coefficient sets A ml and A md , i.e., the attacker cannot use Lagrange interpolation to reconstruct P(x,y).

THEORETICAL ANALYSIS
In this section, we evaluate the l-secure of symmetric polynomial and size of polynomial pool.Theoretical analysis shows that the proposed scheme can effectively address the l-secure, and also has a large enough size of polynomial pool to resist brute force attacks.

λ-security of symmetric polynomial
The key management scheme based on a symmetric polynomial uses the polynomial.
Pðx; yÞ ¼ For Formula ( 12), when we obtain more than ðk þ 1Þ Â ðk þ 1Þ IDs and its pairwise keys, this information can form a matrix equation.The coefficient matrix W and augmented matrix W ¼ ðW; PÞ are seen as Eqs.( 14) and ( 15).When RðWÞ ¼ RðWÞ ¼ k þ 1, Eq. ( 19) has a unique solution, known from related theorems of linear equations.For a hierarchical network with d nodes sharing one polynomial P(x,y), every pair of communication nodes shares the same (l+1) 2 coefficients selected from M, thus establishing d pairwise keys.In theory, reconstructing P(x,y) in l-degree by Lagrange interpolation requires at least (l+1) nodes' information containing (l+1) polynomial values and (l+1) IDs.Lagrange interpolation is formulated as Obviously, with fewer than l sensor nodes, the attacker obtains insufficient information to reconstruct P(x,y) by Lagrange interpolation.The proposed key management scheme maps the IDs of communication nodes to different elements a ij (i, j = 0, 1,. .., l) in M by identity mapping algorithm, and uses these elements a ij (i, j = 0, 1,. .., l) as coefficients of P(x,y).Since every node has a unique ID, the selected elements a ij (i, j = 0,1,. .., l) are also different.Hence it is difficult for attackers to reconstruct P(x,y) by Lagrange interpolation.

Size of polynomial pool with different λ
Due to the limitation of l and t, our scheme uses the hash function of length is 2t(l +1) bits, which makes coefficients to be combined ½ðk þ 1Þ 2 ðkþ1Þ 2 polynomials.That is, our key management scheme generates a polynomial pool ω containing large jxj ¼ ½ðk þ 1Þ 2 ðkþ1Þ 2 polynomials, and each node selects a polynomial from the polynomial pool.In other words, every node in the network has the probability 1=jxj to carry a polynomial from the polynomial pool.Given the security, our scheme should put a limit on the maximum jxjðk þ 1Þ 2 nodes.Figure 5 shows the size of polynomial pool |ω| with different l.When λ = 3, our scheme can generate a polynomial pool holding 1.84 × 10 19 polynomials, allowing our scheme to be used in most scenarios.In addition, our scheme is able to well resist brute force attacks.If someone wants to obtain a pairwise key, they should obtain the coefficients a ðw i ;v j Þ of P(x,y) from the shared matrix M.There are a total of ½ðk þ 1Þ 2 ðkþ1Þ 2 possibilities for an attacker to repeat.When l = 3, our scheme can generate a polynomial pool holding 1.84 × 10 19 polynomials, where it's hard for an attacker to repeat so many times.

PERFORMANCE ANALYSIS
We have conducted a comparative study of a number of related schemes, carried out scientific research, collected data through compliant methods, and evaluated the performance of our scheme through realistic simulations, including the resilience of node capture, connectivity, and resource overhead (energy, memory, and computation) in the pairwise key establishment process.

Resilience against node capture
A proper key management scheme should resist attacks while the network continues its normal operation.The main security threat to the proposed solution is the l-secure.The security analysis of the new scheme proposed in this section mainly analyzes its resilience to node capture.Resilience is computed as the fraction of links compromised in noncompromised nodes.When the number of nodes is large enough in the network, the output values of hash functions will collide, and communication nodes will hold the same output value L of the hash function and P(x,y).Security analysis shows that our scheme not only offers more effective resilience to node capture attacks for the l-secure, but has better resistance to node capture attacks compared with the other key management scheme.

Probability of at least one matrix being broken
Denote that S i is an event in the ith polynomial P(x,y) is cracked ði 2 f1; 2; . . .; jxjgÞ.All coefficients a ij (i, j = 0, 1, . .., l) selected from M can be combined into |ω| different kinds of polynomials.The probability that one of these polynomial P(x,y) ðP 2 fP 1 ; P 2 ; . . .; P jxj gÞ occurrence in a node is h ¼ 1 jxj .Cx is an event that x nodes are compromised in a network.
We have, It is obtained by union bound, It is equal probability for each P(x, y) to be broken.That is, Therefore, The total number of terms in P(x,y) Because every coefficient a ij (i, j = 0, 1, . .., l) in P(x,y) is different, the safety threshold of the proposed scheme is k Therefore we get the following upper bound: The fraction of compromised network communication c is a link that two uncompromised nodes establish a communication with a common key K. Bi is a event that one common key K of two nodes is derived by compromised key space S i .
Since the link c is built securely by one common key K that derived by a key space S i .Due to events B 1 ; B 2 ; . . .; B jxj are mutually exclusive and probability of occurrence in Bi is equally, therefore, Note that ðK 2 S 1 Þ represents an event that "key K was derived by S i ." Event ðK 2 S 1 Þ is independent of the events Cx and (S 1 is compromised).
The probability of event ðK 2 S 1 Þ is equal to the probability of event "the link c established by space S i ".Each key space appears randomly and uniformly in a node.
Therefore, the probability of event that one link is compromised when x nodes captured show as Assume that w secure communication links do not involve any of the x compromised nodes.Denote R as the event "the rest of w secure communication links except x compromised nodes participating in".That is, The above equation indicates that, given that x nodes are compromised, the fraction of the compromised secure communication links outside of those x compromised nodes is the same as the probability of one P(x, y) being compromised.

Comparison to previous work
Although many key managements based on Blundo's scheme can ensure that all nodes are able to be connected, they are faced with l-secure.Security analysis shows that our scheme not only offers more effective resilience to node capture attacks for the l-secure, but has better resistance to node capture attacks compared with other key management schemes.Table 2 lists some different schemes of comparison used in this article.
Our scheme offers better resilience to node capture attacks than q-composite, Liu, Ning & Li (2003) and Zhang, Li & Li (2018) in Fig. 6.If attackers capture 231 sensor nodes, about 22.8% of the pairwise keys, in our scheme with l = 1 and t = 1, between noncompromised nodes will be compromised.If an attacker captures 401 nodes, about 46.5% of the pairwise keys between non-compromised nodes will be compromised.In Blundo et al. (1998), when captured nodes remain at 410, all pairwise keys between noncompromised nodes will be compromised.In Liu, Ning & Li (2003), when captured nodes remain at 500, all pairwise keys between non-compromised nodes will be compromised.In Zhang, Li & Li (2018), when captured nodes remain at 500, about 91.0% of pairwise keys between non-compromised nodes will be compromised.In q-composite (q = 2) and qcomposite (q = 3), when captured nodes remain at 800, almost all pairwise keys between non-compromised nodes will be compromised.

Resilience to node capture in our scheme
The relationship between l and t can be described as in our scheme, i.e., l and t affect the fraction of compromised links.Figure 7 shows the relationship between the fraction of compromised links for non-compromised sensors and the number of compromised nodes with different values of l and t.If attackers capture 1,000 sensor nodes, about 90.2% of the pairwise keys between non-compromised nodes will be compromised when l = 1 and t = 1.If attackers capture 1.0 × 10 8 sensor nodes, nearly no pairwise keys between non-compromised nodes will be compromised when l = 3 and t = 2. Actually, with l = 3 and t = 2, the sensor network can hold at least 1.0 × 10 8 nodes, which is enough to meet the requirements of many scenarios.

Connectivity rate
A higher connectivity rate of the node network can increase the communication efficiency of the node and reduce the loss of communication energy.Figure 8 compares the network connectivity of the proposed scheme with that of Liu, Ning & Li (2003) and q-composite (Chan, Perrig & Song, 2003).In the simulation, we assume that the q-composite preloaded s = 50 keys in each sensor, and τ = 10 and τ = 20 polynomials in Liu, Ning & Li (2003) are  preloaded in each node.The result illustrates that the proposed scheme has 100% connectivity regardless of the size of polynomial pool.Table 3 in more detail shows that our scheme offers a better connectivity rate of nodes than the other three schemes, and inherits that every node in a sensor network is able to establish a connection in Blundo et al. (1998).When three polynomials are selected from one polynomial pool holding 25 polynomials, about 33.0% of nodes in Liu, Ning & Li (2003) are connected.However, when still remaining 34.6% of nodes are connected, Liu, Ning & Li (2003) should select two polynomials from a polynomial pool with 11 polynomials.In q-composite (q = 2) (Chan, Perrig & Song, 2003), when 20 keys are selected from one key pool holding 340 keys, about 33.2% of nodes are connected.However, when still remaining 32.0% of nodes are connected, the q-composite (q = 3) scheme (Chan, Perrig & Song, 2003) should scale down the key pool size to 200.When three polynomials are selected from one polynomial pool holding 18 polynomials, about 57.8% of nodes in Zhang, Li & Li (2018) are connected.However, when two polynomials are selected from the same polynomial pool, only about 31.8% of nodes in Zhang, Li & Li (2018) are connected.

Resource overhead
We selected several classic key management solutions for comparative study from the aspects of communication, computation, and storage overhead.For convenience, we only consider the polynomial P(x,y) cost.The l k represents the length of key.we assume that each generated key takes the same storage as the coefficient of a l-degree polynomial.l ID is the length of a node or key identifier.We assume that the node and key identifiers have the same length.τ are the number of polynomials selected for each node in Liu, Ning & Li (2003) and Zhang, Li & Li (2018).s is the number of keys preloaded in each sensor.We estimate the computation, communication, and storage energy consumed by constrained nodes during pairwise key establishment.Owing to selecting a set of polynomials from a polynomial pool, we use the same amount of polynomials for Liu, Ning & Li (2003) and Zhang, Li & Li (2018) per node.There are the same l-degree for a polynomial for the four schemes.Table 4 lists the comparative study in resource overheads.

Computational overhead
The key management schemes with polynomials rely on the existence of the same polynomial between two nodes.In other words, the polynomial has an important impact on the computation cost in nodes, when the pairwise key is established.To evaluate the  computational cost, we mainly consider the number of calculations in polynomial.Table 5 lists the computational overhead of the comparative study, which shows that these four schemes have the same consumption in computation.In fact, although these schemes owe the same computational overhead, our scheme has better advantages in applying to some field environments compared with the other three schemes, with better resilience against node capture and lower storage overhead.

Communication overhead
The information exchange of wireless sensor networks relies on the emission of electromagnetic waves, which depletes much energy carried by nodes.In other words, energy cost in communication is significantly impacted by the length of communication message and the number of data packets.The longer the data length, the more energy in communication is consumed.These schemes mainly send the identities of the node, the identities of the secret key and the identities of the polynomial when the pairwise key is established.τ is the number of polynomials selected for each node.Note that both l k and l ID are 32 bits.Figure 9 shows the comparison in communication consumption of our scheme with Blundo et al. (1998), Liu, Ning & Li (2003) and Zhang, Li & Li (2018), where the loss of energy in communication is represented by the length of information (bits).The figure clearly illustrates that the communication cost of our scheme is significantly lower than in Zhang, Li & Li (2018) and Liu, Ning & Li (2003), and equal to Blundo et al. (1998) during pairwise key establishment.As we know, our scheme, similar to Blundo et al. (1998), only needs nodes to pass their own identities to each other, which improves communication efficiency and reduces the energy consumption of nodes in communication.

Storage overhead
Sensor nodes are highly constrained in terms of memory resources.When designing a key management scheme, we should reduce the memory overhead of nodes as much as possible.The storage overhead this scheme depends on the cost of the nodes' dentities, the coefficients of the l-degree polynomials and the dentities of polynomials, where l k = log 2 q.Table 7 lists the storage overhead of the comparative study, in which τ = 50, s = 25.Assume that both l k and l ID are 32 bits.Figure 10 shows the comparison in memory consumption (bits) of our scheme with Blundo et al. (1998), Liu, Ning & Li (2003) and Zhang, Li & Li (2018), which clearly shows the advantage of our scheme to some extent.As the l no more than 50, the storage cost in our scheme is much smaller than in Zhang, Li & Li (2018) and Liu, Ning & Li (2003) during pairwise key establishment.The storage overhead in our scheme remains stable, not changing with the number of nodes.In fact, with a small l, our scheme can still hold a large number of nodes and maintain better resilience to node capture.Our scheme, when l = 3, can hold 5.53 × 10 19 nodes in a network.However, Liu, Ning & Li (2003) (l = 18, τ = 3, |ω| = 25) is only able to hold 158 nodes in a network.When 1.0 × 10 8 nodes are captured in a network, the capture rate of communication links in non-compromised nodes is still nearly close to 0. Therefore, our scheme has greater advantages in applying to large-scale networks, not only with lower storage overhead but also resilience to node capture attacks.

CONCLUSIONS
We proposed a key management scheme with a dynamic coefficient symmetric polynomial.The scheme allows every pair of communicating nodes to use their own IDs to map into the elements of the shared matrix M and assigns these elements to polynomial Pðx; yÞ to establish pairwise keys.Different from other schemes, ours deterministically configures a different polynomial for each pair of communicating nodes by an identity mapping algorithm.This enables a high connectivity rate and solves the l-secure problem of key management, when no hash collision occurs.Security analysis shows that the proposed scheme has stronger resilience to node capture from various types of attacks.It consumes less energy in storage and communication than other protocols.

Table 1
The notation used in this article.

Table 2
Some different schemes of comparison.

Table 3
Comparison of connectivity among various schemes.

Table 4
Comparative study in resource overheads.